Review - HR 3138 Amended in Committee - State and Local Cybersecurity Improvement Act

Earlier this month the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 3138, the State and Local Cybersecurity Improvement Act. Substitute language was adopted for the bill and it was ordered favorably reported, both by unanimous consent.

Changes to the bill made in the substitute language reflect a higher concern about ransomware incidents at State and local levels and some subtle difference in the way the bill treats Indian organizations.

Technically, this bill will not be able to move to the full House for consideration until the Committee report is published. The reality of the situation is that while Committee reports frequently take months to publish, Committee Chair Thompson (D,MS) could report the bill without written report on the first day the House returns to Washington, currently scheduled to be on June 14^th. I do not think the bill will be considered quite that quickly, but it will probably be considered before the summer recess.

This bill will almost certainly be considered under the House suspension of the rules process. That process limits debate, prohibits floor amendments, and requires a super majority for passage. The unanimous consent approval in Committee means that the bill should receive wide-spread bipartisan support on the floor of the House.

For a more detailed analysis of the revisions made to this bill see my post on CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/hr-3138-amended-in-committee (subscription required).

CFATS Tiering Fact Sheet – 5-30-21

Today I saw an interesting post on LinkedIn by Bryan McDonald, a chemical security inspector with the Office for Chemical Security in CISA. His post pointed at a Chemical Facility Anti-Terrorism Standards program fact sheet on “Tiering Methodology” that I had not seen. This is a nice overview of the enhanced tiering process that DHS started as part of their CSAT 2.0 upgrade back in 2016.

I was able to trace the fact sheet back to the “CFATS Tiering Methodology” web page. It has been quite some time (2018) since I last took a detailed look at that page. There have been some minor revisions and this fact sheet has certainly been updated for the CISA branding. It is well worth the read.

I have no idea when either the page or the fact sheet was updated. DHS stopped the practice of dating their web products when changes were made. Without those dates it is impractical for me to go back and check every CFATS related page (and there are a very large number of them) to watch for changes. And OCS does not report the changes to their web site on their CFATS Knowledge Center web site like they used to.

CRS Report on Information Sharing and Disclosure Requirements

This week the Congressional Research Service (CRS) prepared a report for Congress on “Critical Infrastructure Policy: Information Sharing and Disclosure Requirements After the Colonial Pipeline Attack”. The Report looks at the apparent change in information sharing philosophy embodied by the attempt by the Biden Administration to require cybersecurity incident reporting under EO 14028.

The short report (2 pages) does not draw any conclusions, but it does outline the history of voluntary information sharing between privately owned critical infrastructure and the federal government. Anyone that wants to understand the impending debate in Congress on authorizing cybersecurity information reporting mandates needs to understand this history.

Interestingly, this report was prepared before TSA published their Security Directive 01-21 mandating that pipeline operators report cyberattacks on their operations and information systems.

S 1260 Debate Continues – Endless Frontiers Act – 5-28-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. No action was taken on any amendments and no new amendments were introduced. When the Senate returns to Washington after their Memorial Day recess, the Senate is scheduled to take-up SA 1858 (pg S3279). Once action is complete with that amendment the Senate will consider the substitute language without having to complete a cloture vote.

Vote on the final bill is currently being scheduled for June 8^th and will not (under the current agreement) require a cloture vote, but it will require a 60-vote supermajority to pass. As currently crafted the bill will only contain the cybersecurity provisions added in the substitute language.

Before the substitute language is voted upon, there is a chance that there will be a unanimous consent motion to consider a bundle of amendments. The exact composition of that bundle is still subject to negotiation, but there is a possibility that one or more of the cybersecurity amendments offered by this point may be included.

Review - Public ICS Disclosures – Week of 5-22-21

This week there are vendor 17 disclosures from Bosch, B&R Automation, CODESYS (2), GE Grid Solutions, Moxa, Philips (2), Ruckus, Siemens (2), Texas Instruments (4), and VMware. There is one update from Boston Scientific.

Exploits are available for vulnerabilities mentioned in the following advisories:

• B&R Automation - Automation Runtime NTP Service, and

• Ruckus – IoT Controller

For more details about the vulnerabilities, please see my CFSN Detailed Analysis page on Substack: https://patrickcoyle.substack.com/p/public-ics-disclosures-c05  (subscription required).

Bills Introduced – 5-28-21

Yesterday with the Senate is Washington and the House meeting in pro forma session, there were 107 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 3594 To authorize appropriations to the Department of Transportation for surface transportation research, development, and deployment, and for other purposes. Rep. Johnson, Eddie Bernice [D-TX-30]

HR 3599 To establish a Federal rotational cyber workforce program for the Federal cyber workforce, and for other purposes. Rep. Khanna, Ro [D-CA-17]

HR 3608 To amend title 41, United States Code, to require information technology contractors to maintain a vulnerability disclosure policy and program, and for other purposes. Rep. Lieu, Ted [D-CA-33]

I will be watching HR 3594 to for language and definitions that would indicate that there are cybersecurity research programs included in the coverage.

 

I will be watching the other two for language and definitions that would include control system security in the covered activities.

S 1260 Debate Continues – Endless Frontiers Act – 5-27-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. One of the amendments was adopted by a strongly bipartisan vote of 91 to 4. It was a very large tariff amendment that had nothing to do with cybersecurity. One other amendment was defeated by a recorded vote.

There were 84 new amendments offered yesterday (but not all were for this bill). One of the amendments (SA 2105, pg S3910) for this bill was a cybersecurity bill from Sen. Ossoff (D,GA) dealing with cybersecurity education. It was similar to S 2013 that Ossoff offered on Tuesday. It is not unusual for Senators to make minor changes to a submitted amendment in order to get it approved for consideration on the floor.

The bill was considered today (more on that after today’s Congressional Record is published tomorrow), but the vote on the bill was postponed until after the Memorial Day Holiday (a week long holiday in Congress).

Review - TSA Publishes Pipeline Cybersecurity Directive

Yesterday the Transportation Security Administration published “Security Directive Pipeline-2021-01” designed to enhance the cybersecurity of critical pipelines. This action was taken in response to the Colonial Pipeline ransomware attack earlier this month that shut down a major fuel supply pipeline for much of the East Coast.

The new Security Directive requires owners and operators of identified critical pipelines to:

• Report cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA).

• Designate a Cybersecurity Coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise.

• Review their current activities against TSA's recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA.

All information submitted to the TSA and CISA in compliance with this Directive will be treated as sensitive security information (SSI) in accordance with 49 CFR 1520. Essentially this means that it is exempt from public disclosure requirements and it will be protected in government and contractor systems as sensitive but unclassified information.

For a more detailed review, see my Substack blog, CFSN Indepth Analysis, https://patrickcoyle.substack.com/p/tsa-publishes-pipeline-cybersecurity (subscription required)

Bills Introduced – 5-27-21

Yesterday with just the Senate in session, there were 95 bills introduced. One of those bills may receive additional coverage in this blog:

S 1917 A bill to establish a K-12 education cybersecurity initiative, and for other purposes. Sen. Peters, Gary C. [D-MI]

Okay, it is highly unlikely that this bill will contain language or definitions relating to control system cybersecurity, but I am probably going to keep an eye on this bill, particularly if it authorizes significant funding, because elementary (in both senses of the word) cybersecurity education is going to be a long-term need for this country.

5 Advisories and 5 Updates Published – 5-27-21

Today CISA’s NCCIC-ICS published five control system security advisories for products from Mitsubishi, Siemens, Mesa Labs, Johnson Controls, and GENIVI Alliance. They also published updates for advisories for products from Mitsubishi (3) and Siemens (2).

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitisubishi MELSEC iQ-R series CPU. The vulnerability was reported by Younes Dragoni of Nozomi Networks. Mitisubishi provides generic workarounds to mitigate the vulenrablity.

NCCIC-ICS reports that a relatively low-skilled attacker can remotely exploit the vulnerability to prevent legitimate clients from connecting to an affected product.

Siemens Advisory

This advisory describes five vulnerabilities in the Siemens JT2Go and Teamcenter Visualization. The vulnerabilities were reported by Michael DePlante, Francis Provencher, and rgod via the Zero Day Initiative and Carsten Eiram from Risk Based Security.

The five reported vulnerabilities are:

• Out-of-bounds read (3) - CVE-2020-26998, CVE-2020-26999, and CVE-2020-27002,

• Stack-based buffer overflow - CVE-2020-27001,

• Untrusted pointer dereference - CVE-2020-26991

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to arbitrary code execution or information leakage.

NOTE: I briefly discussed these vulnerabilities and the two JT2GTo updates below last Saturday.

Mesa Labs Advisory

This advisory describes five vulnerabilities in the Mesa Labs AmegaView continuous monitoring hardware and software platform. The vulnerability was reported by Stephen Yackey of Securifera. There will be no update to mitigate the vulnerabilities because the product is approaching end-of-service (end of the year).

The five reported vulnerabilities are:

• Command injection - CVE-2021-27447 and CVE-2021-27449,

• Improper authentication - CVE-2021-27451,

• Authentication bypass using an alternate path or channel - CVE-2021-27453, and

• Improper privilege management - CVE-2021-27445   

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow remote code execution or allow access to the device.

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in the Sensormatic Electronics VideoEdge products. This is a third-party (SUDO) vulnerability with multiple published exploits (see here, here, and here for instance). The vulnerability was self-reported.

NCCIC-ICS reported that a relatively low-skilled attacker with local authenticated access could exploit this vulnerability to gain administrative access.

NOTE: This is virtually the same advisory that was published earlier this month for the Sensormatic Tyco AI. Each respective Johnson Control advisory calls the subsidiary ‘American Dynamics’ not Sensormatic.

GENIVI Advisory

This advisory describes a heap-based buffer overflow vulnerability in the GENIVI DLT-Daemon. The vulnerability was reported by Jan Schrewe of Informatik. GENIVI has a new version that mitigates the vulnerability. There is no indication that Schrewe has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to lead to remote code execution or crash the application.

Factory Automation Update #1

This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on January 14^th, 2021. The new information includes providing updated affected version information and mitigation measures for:

• EZSocket, and

• PX Developer

Factory Automation Update #2

This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on January 14^th, 2021. The new information includes providing updated affected version information and mitigation measures for MELSEC iQ-R Series Motion Module.

FA Engineering Update

This update provides additional information on an advisory that was originally published on February 18^th, 2021. The new information includes:

• Adding the following to the list of affected products:

◦ iQ Monozukuri ANDON (Data Transfer), and

◦ iQ Monozukuri Process Remote Monitoring (Data Transfer, and

• Providing updated affected version information and mitigation measures for:

◦ CPU Module Logging Configuration Tool,

◦ CW Configurator,

◦ Data Transfer,

◦ FR Configurator2,

◦ GT Designer3 Version1(GOT1000),

◦ GT Designer3 Version1(GOT2000),

◦ GT SoftGOT1000 Version3,

◦ GT SoftGOT2000 Version1,

◦ GX LogViewer,

◦ PX Developer, and

◦ RT ToolBox3

JT2Go Update #1

This update provides additional information on an advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021. The new information includes:

• Moving CVE-2020-26989, CVE-2020-26990, and CVE-2020-28383 to advisory SSA-663999, and

• Moving CVE-2020-26991 to SSA-695540

JT2Go Update #2

This update provides additional information on an advisory that was originally published on February 9^th, 2021. The new information includes:

• Removing vulnerabilities CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001, and CVE-2020-27002, and

• Adding d CVE-2020-28383 and CVE2021-31784.

S 1260 Debate Continues – Endless Frontiers Act – 5-26-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. Three amendments were adopted by, one by unanimous consent and five were rejected by recorded votes (all failing to achieve the agreed upon 60 votes for passage). None of the amendments yesterday dealt with cybersecurity issues.

Yesterday there were an additional 56 amendments submitted. They included one hazardous material amendment and two cybersecurity amendments. The amendments were:

• SA 2037 - Sen Portman (R,OH) - At the appropriate place in title V of division B, insert the following:

SEC. 25XX. Regulation of foreign manufacturers of cylinders used in Transporting hazardous materials. Pgs S3513

• SA 2070 - Sen Bennet (D,CO) - At the appropriate place, insert the following:

SEC. XXX. Establishment of national reserve digital corps Pg S3529

• SA 2075 - Sen Hassan (D, NH) - At the appropriate place, insert the following:

SEC. XXX. Cybersecurity and infrastructure security apprenticeship program. Pg S 3532

The filing deadline for further amendments was set for today at 2:30 EDT.

Review OMB Approves Emergency TSA Pipeline Reporting Changes

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) approved two emergency revisions to information collection requests (ICR) from the Transportation Security Administration (TSA) for pipeline security reporting requirements. The ICR revisions are for the “Critical Facility Information of the Top 100 Most Critical Pipelines” (1652-0050) and “Pipeline Operator Security Information” (1652-0055). Both ICR-revision requests used similar language concerning the recent Colonial Pipeline ransomware attack as part of the justification for the emergency approval request.

The TSA Pipeline Security Guidelines referenced in these two ICRs has recently been updated. The revisions do not specifically address cybersecurity issues. Rather they revised the methodology for identifying critical pipeline facilities.

For detailed analysis of the ICR’s see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-emergency-tsa-pipeline

S 1260 Debate Continues – Endless Frontiers Act – 5-25-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. Three amendments were adopted by unanimous consent and three were rejected by recorded votes (all failing to achieve the agreed upon 60 votes for passage). None of the amendments yesterday dealt with cybersecurity issues.

Yesterday there were an additional 41 amendments submitted. They included three new cybersecurity related amendments:

• SA 1999 – Sen King (I,VT) – At the appropriate place, insert the following:

Subtitle C—Cyber and Technology Diplomacy Pg S3442

• SA 2005 – Sen Blackburn (R,TN) - At the end of title V of division B, add the following:

SEC. XXX. Study on national laboratory consortium for cyber resilience. Pg S3447

• SA 2013 - Sen Ossoff (D,GA) - At the end of title V of division B, add the following:

SEC. 2528. Enhancing cybersecurity education Pg S 3452

The debate was scheduled to continue today with votes scheduled on three more amendments (none cybersecurity related). Cloture votes for the substitute language and then the amended bill are currently scheduled for Thursday.

HR 2100 Introduced – PALS Act

Back in March Rep Nehls (R,TX) introduced HR 2100, the Providing Americans with LNG Safely (PALS) Act. The bill would prohibit DOT from taking action to stop the shipment of liquified natural gas (LNG) by rail. This is very similar to S 1012 that was introduced earlier this year in the Senate, but Nehls added a cute name.

Prohibition on Action

The very short bill would specifically stop DOT from taking two different types of regulatory action concerning the shipment of LNG by rail. The first would be a prohibition against issuing any regulation or long-term order that prohibits the transportation of LNG by rail. The second would prevent similar DOT actions that would restrict or contract the scope of PHMSA’s final rule authorizing the shipment of LNG by rail that was issued last year.

The bill does specifically state that: “Nothing in this section shall be construed to limit the authority of the Secretary of Transportation from issuing short-term emergency orders related to the transportation of liquefied natural gas by rail.”

Moving Forward

While Nehls is a member of the Transportation and Infrastructure Committee to which this bill was assigned for consideration, and a cosponsor is Ranking Member Graves (R,MO), there is no way that this bill will be considered in Committee. This is almost a strictly party-divided issue. Even in a nearly evenly divided House, this bill could never make it to the floor for consideration.

Bills Introduced – 5-25-21

Yesterday with the Senate in Washington and the House meeting in pro forma session, there were 138 bills introduced. There was one bill that might receive additional coverage in this blog:

HR 3520 To preempt State data security vulnerability mandates and decryption requirements. Rep. Lieu, Ted [D-CA-33]

This is really getting down into the weeds of cybersecurity legislation. I will be watching for language and definitions that include control system security coverage, but I also may cover this bill solely based upon its preemption requirements.

2 Advisories Published – 5-25-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Datakit Libraries.

Rockwell Advisory

This advisory describes a channel accessible by non-endpoint vulnerability in the Rockwell Micro800, MicroLogix 1400 controllers. The vulnerability was reported by Hyunguk Yoo from The University of New Orleans, as well as Adeen Ayub and Irfan Ahmed from Virginia Commonwealth University. Rockwell provides generic work arounds for the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker can remotely exploit the vulnerability to may result in denial-of-service conditions, which may require a firmware flash to recover.

NOTE: The Rockwell advisory recommends blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222  using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. This is not mentioned in the NCCIC-ICS guidance.

DataKit Advisories

This advisory describes five vulnerabilities in the DataKit Software libraries embedded in Luxion KeyShot software. The vulnerabilities were reported by rgod via the Zero Day Initiative. DataKit has a new version that mitigates the vulnerabilities and Luxion has a new version that contains the new DataKit version.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2021-27488,

• Improper restrictions on XML external entity reference - CVE-2021-27492,

• Stack-based buffer overflow - CVE-2021-27494,

• Untrusted pointer dereference - CVE-2021-27496, and

• Out-of-bounds read - CVE-2021-27490

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to execution of arbitrary code and disclosure of arbitrary files to unauthorized actors.

S 1260 Debate Continues – Endless Frontiers Act – 5-24-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. No votes were held yesterday on amendments to this bill. There were 53 new amendments submitted including four related to cybersecurity issues. Debate will continue tomorrow.

The new cybersecurity related amendments were:

• SA 1932 - Sen INHOFE (R,OK) - At the end of title III of division F, add the following:

SEC. 6302. Addressing threats to national security with respect to wireless communications research and development. Pg S3349

• SA 1946 - Sen GRAHAM (R,SC) - At the end, add the following:

DIVISION G—Combating Chinese theft of trade secrets Pg S3355

NOTE: Includes: TITLE III—Combating cybercrime Pg S3357

• SA 1950 - Sen HAWLEY (R,MI) At the appropriate place, insert the following:

SEC. XXX. Imposing data security requirements and strengthening review of foreign investments with respect to certain technology companies from foreign countries of concern. Pg S3364

• SA 1954 - Sen HAWLEY - At the appropriate place, insert the following:

SEC. XXX. Requirement that certain providers of systems to department of defense disclose the source of printed circuit boards when sourced from certain countries. Pg S 3367

Review HR 2980 Markup – Cybersecurity Vulnerability Remediation Act

 Last week the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 2980, the Cybersecurity Vulnerability Remediation Act. The bill was ordered favorably reported after substitute language was approved. Both actions were taken under unanimous consent.

The substitute language offered by Rep Jackson-Lee (D,TX) included specifically adding control system security references when discussing the cybersecurity vulnerabilities covered by the bill.

The bill is now likely to move to the floor of the House under the suspension of the rules process.

For more detailed information see my post at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2980-markup  - Subscription required –

Committee Hearings – Week of 5-24-21

With the Senate in Washington and the House conducting a Hearing Week, there will be a full slate of committee hearings this week. The FY 2022 spending development process continues this week with three hearings of interest here. There are also one cybersecurity hearing and a DHS oversight hearing on the schedule.

FY 2022 Spending

The first year of any new administration is always a bit confused in the development of budget and spending proposals, especially when the change is as abrupt and complicated as this one. But spending bills are still ‘expected’ to be published in the House before the end of next month, we will see. This week we will see three department level hearing in the appropriate subcommittees of the two appropriations committees:

• DHS – 5-26-21, Senate, DHS Subcommittee

• DOD – 5-27-21, House, Defense Subcommittee, and

• DOC – 5-26-21, Senate, CJS Subcommittee

Cybersecurity Hearing

On Tuesday two subcommittees of the House Science, Space, and Technology Committee will hold a joint hearing on “SolarWinds and Beyond: Improving the Cybersecurity of Software Supply Chains”. The witness list includes:

• Matthew Scholl, National Institute of Standards and Technology,

• Trey Herr, Atlantic Council,

• Katie Moussouris, Luta Security, and

• Vijay D’Souza, Government Accountability Office.

DHS Oversight

On Wednesday the DHS Subcommittee of the House Appropriations Committee will be holding a hearing on “Department of Homeland Security Resource Management and Operational Priorities”. The sole witness will be Secretary Mayorkas. While Republicans will be focusing on border and immigration issues, I do expect that there will be significant questions about the Departments response to recent cyber incidents and their future plans to prevent and counter such attacks in the future.

On the Floor

The Senate will continue with their consideration of S 1260, the Endless Frontiers Act. More amendments will be submitted, and some will even be considered. This may take up most of the week.

Review - S 1193 Introduced - US-Israel Cybersecurity Cooperation Enhancement Act

Last month Sen Rosen (D,NV) introduced S 1193, the United States-Israel Cybersecurity Cooperation Enhancement Act of 2021. The bill would require DHS to establish a grant program to support joint US-Israeli cybersecurity research, development, and commercialization efforts. The bill authorizes a minimum of $6 million to support the grant program each year through 2026.

Bills similar to this have been submitted over the last couple of Congresses in both the House and Senate. The House has been able to pass these bills, but the Senate has not been able to move one out of Committee. Rosen has submitted similar language as a proposed amendment to S 1260, The Endless Frontier Act, that is currently being considered in the Senate.

A more detailed analysis of this bill can be found at CFSN Detailed Analysis - https://tinyurl.com/2zzm9b39 (subscription required).

S 1324 Introduced - Civilian Cyber Security Reserve Act

Earlier this month Sen Rosen (D,NV) introduced S 1324, the Civilian Cyber Security Reserve Act. The bill would authorize DOD and DHS to each establish a separate Civilian Cyber Security Reserve pilot project “to address the cyber security needs of the United States with respect to national security”. The pilot project authorization would end seven years after they were established. Such sums as may be necessary for these projects would be authorized by this bill.

Personnel in either of the CCSR could be activated and they would be given a noncompetitive appointment to temporary positions in the competitive or excepted service. Those appointments would be for no more than six months. While in those temporary positions, they would be considered Federal civil service employee under 5 USC 2105.

Moving Forward

Rosen is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that she could have enough influence to see this bill considered in Committee. I suspect that there would be some level of bipartisan support for the bill. If considered, I would expect to see it favorably reported.

This bill is not important enough to make it to the floor of the Senate for consideration. The time necessary to go through the debate and amendment process means that a bill only comes to the floor when it is important enough in the eyes of the Senate leadership to consume those limited resources. I would suspect that there would be enough opposition to the bill to prevent it from being considered under the unanimous consent process.

Commentary

There is an ongoing problem in the government (and of course in industry as well) of finding enough people with cybersecurity expertise to fill all of the positions necessary to maintain an adequate level of cybersecurity knowledge to be able to respond to the daily grind of protecting the governments cyber systems. This bill is not really designed to address that general issue.

What Rosen and her sole cosponsor {Sen Blackburn (R,TN)} are attempting to do with this bill is to provide some level of surge capacity at DOD and DHS to deal with large scale incidents like the SolarWind attacks or the Microsoft email server problems. Having trained and experienced personnel available to be called up on short notice would certainly make that kind of incident response much easier.

A more detailed analysis of this bill is available at CFSN Detailed Analysis, subscription required.

Public ICS Disclosure Moving to Substack

Starting next Saturday, my weekly blog post “Public ICS Disclosure” will only be available on my subscription Substack page; CFSN Detailed Analysis. There will be a very abbreviated version available on this site, but it will serve mainly to point at the Substack article. This week’s post is on both sites.

It is pieces such as this that are helping to push me to a subscription service. This week’s post took almost four hours to prepare. Last week’s “second Tuesday’ posts took about 15 hours to prepare.

Look forward to seeing you on Substack.

Public Comments on CISA Vulnerability Discovery ICR Revision – 5-22-21

On March 19^th, 2021 DHS published a 60-day information collection request (ICR) notice to support the expansion of their Vulnerability Discovery program (VDP) to other agencies in the federal government. The comment period closed on the ICR notice this week. Only one additional comment was received beyond the two I reported on over a month ago. The last comment comes from CERT/CC at the Carnegie Mellon University's Software Engineering Institute.

CERT/CC’s comment contains a very good description of the type of information needed in an actionable vulnerability report.

CISA will not evaluate the comments received and prepare their 30-day ICR notice. I suspect that there will be only a relatively short delay until that notice is published in the Federal Register. Typically this takes a couple of months, but has been known to take years on more controversial ICRs.

Public ICS Disclosures – Week of 5-15-21

This week we have seven vendor disclosures from Bosch, CODESYS (2), WAGO, ENDRESS+HAUSER, Siemens, and VMware. We have two vendor updates from Siemens. Finally, we have a researcher report for products from Advantech.

Bosch Advisory

Bosch published an advisory discussing an input validation vulnerability in their IndraMotion MTX, MLC and MLD and the ctrlX CORE PLC application products. This is a third-party (CODESYS) vulnerability. An update for the ctrlX CORE PLC APP is pending. Generic mitigation measures are provided.

CODESYS Advisories

CODESYS published an advisory describing an improper input validation vulnerability in their CODESYS V3 products. The vulnerability was reported by  Alexander Nochvay from Kaspersky Lab ICS CERT. CODESYS has software updates available to mitigate the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS V3 products. The vulnerability was reported by Uri Katz of Claroty. CODESYS has new versions available that mitigate the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

WAGO Advisory

CERT-VDE published an advisory discussing twelve vulnerabilities in the WAGO PLCs. These are third-party (CODESYS) vulnerabilities that were reported by JSC Positive Technologies. WAGO has new firmware versions available that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Allocation of resources without limit or throttling - CVE-2021-21000,

• Path traversal - CVE-2021-21001,

• Heap-based buffer overflow - CVE-2021-30186,

• Stack-based buffer overflow (2) - CVE-2021-30188, CVE-2021-30189,

• Improper input validation - CVE-2021-30195,

• Improper access control - CVE-2021-30190,

• Buffer copy without checking size of input - CVE-2021-30191,

• Improperly implemented security check - CVE-2021-30192,

• Out-of-bounds write - CVE-2021-30193,

• Out-of-bounds read - CVE-2021-30194,

• Improper neutralization of special elements used in an OS command - CVE-2021-30187

NOTE: The first two vulnerabilities have apparently not yet been addressed by CODESYS and have been given CERT-VDE CPE numbers.

ENDRESS+HAUSER Advisory

CERT-VDE published an advisory discussing the KRACK attacks vulnerabilities in the ENDRESS+HAUSER Proline portfolio flow meter products. ENDRESS+HAUSER has firmware updates that mitigate the vulnerabilities.

Siemens Advisory

Siemens published an advisory describing five vulnerabilities in their n JT2Go and Teamcenter Visualization products. The vulnerabilities were reported by the Zero Day Initiative and Carsten Eiram from Risk Based Security. Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2020-26991,

• Out-of-bounds read (3) - CVE-2020-26998, CVE-2020-26999, and CVE-2020-27002, and

• Stack-buffer overflow - CVE-2020-27001

NOTE: Apparently, none of the above vulnerabilities are the 0-day vulnerability that ZDI published for this product on April 28th.

VMWare Advisory

VMWare published an advisory describing three out-of-bounds read vulnerabilities in their VMware Workstation and Horizon Client for Windows. This is a third-party (Cortado ThinPrint) vulnerability. The vulnerabilities were published by Anonymous at ZDI and Hou JingYi of Qihoo 360. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Cortado web site make the following claim about ThinPrint, so these vulnerabilities may exist in other ICS products.

“Thanks to numerous OEM partnerships, ThinPrint technology components are integrated in a variety of terminals, print boxes and thin client of leading hardware manufacturers.”

Siemens Updates

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021. The new information includes:

• Moving vulnerabilities CVE-2020-26989, CVE-2020-26990, and CVE-2020-28383

to advisory SSA-663999 (see below), and

• Moving vulnerabilities d CVE-2020-26991 to SSA-695540 (see new advisory above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-012-03, this coming week.

Siemens published an update for their JT2Go and Teamcenter Visualization advisory that was originally published on February 9^th, 2021. The new information includes:

• Removing vulnerabilities CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001, and CVE-2020-27002, and

• Adding vulnerabilities CVE-2020-28383, CVE2021-31784 (from update above).

NOTE: NCCIC-ICS should be updating their advisory, ICSA-21-040-06, this coming week.

Advantech Report

ZDI published a report describing a use of hard-coded credentials vulnerability in the Advantech BB-ESWGP506-2SFP-T industrial switches. ZDI coordinated the disclosure with NCCIC-ICS.

CFSN Detailed Analysis - Substack Site

Sharp eyed readers will have noticed that earlier this week I established a publication site on Substack.com. Readers might remember that I have been debating for some time how to monetize my long-time publication, Chemical Facility Security News. I have published over 8,000 blog posts since 2007 and have made maybe $1,000 from the publication over that time. It is time to do something different.

I considered transferring the Chemical Facility Security News blog to Substack. They are not set up to support that large of an undertaking. I might be able to transfer the files, but I would have to go back and put the correct publication dates on each post… it is just not practical. I also considered just starting over on Substack, but there would be just too many readers that would not make the transition and I have worked hard to establish this largely anonymous reader base.

So, I decided to take the middle ground. The new publication, CFSN Detailed Analysis, will consist of the longer analytic pieces that I have been publishing over the years, those pieces that really stretch the definition of the term ‘blog’. Access to those pieces will be via the Substack subscription service. I will typically post a notice about those pieces on the current blog. Typically, those notices (with links) will be found at the end of a related blog post. See, for example, my blog post on the introduction of HR 3243.

Substack also allows me to offer free access articles on the site. Currently, the only thing that I am intending on offering free is a daily post listing the posts on both my Chemical Facility Security News and Future ICS Security News blogs (see here for example. I am doing this because I suspect that there may be a slightly different audience available on Substack than what I currently have on my conventional blogs. Hopefully this will drive traffic to those blogs. It could also be used by my current readers as a daily digest to determine what posts they might want to read.

This whole thing is a work in progress. I would like to receive feedback on the new project. What would you be willing to pay for? Would you prefer to see the paid and free posts on the same site? What would drive you away from the blog if it were moved behind the subscription wall?

I am not trying to get rich of this effort. I am trying to reduce the need for a day job that takes time away from my wife, my researching, and increasingly my writing. Readers might have noticed that I have become somewhat more prolific over the last month or so. That is because I have been recovering from relatively minor surgery. But next week I return to my day job to keep the bills paid and that time will be reduced. The wife has been much happier with me being home, and I have been writing more. That is what I want to continue to be able to do.

S 1260 Debate Continues – Endless Frontiers Act – 5-20-21

Yesterday the Senate continued their debate of S 1260, the Endless Frontiers Act. Two votes were held on amendments to the substitute language, both failed along partisan lines. Neither amendment were on topics of interest in this blog. Debate will continue Monday.

There were 125 amendments to the bill submitted yesterday. Three of those amendments concerned cybersecurity issues. Those amendments were:

• SA 1768, Sen Rosen (D,NV) - At the appropriate place, insert the following:

SEC. XXX. United States-Israel cybersecurity cooperation. Pg 3231

• SA 1793, Sen Daines (R,MT) - At the appropriate place, insert the following:

SEC.XX. Study relating to consequences and benefits of amending the CFAA. S3245

• SA 1831, Sen Hassan (D,NH) - At the appropriate place, insert the following:

SEC. XX. Cybersecurity and infrastructure security apprenticeship program. Pg S3261

NTSB Publishes UAS Accident NPRM

 Today the National Transportation Safety Board (NTSB) published a notice of proposed rulemaking (NPRM) in the Federal Register (86 FR 27550-27551) for “Amendment to the Definition of Unmanned Aircraft Accident”. The rulemaking would remove the weight-based requirement and replacing it with an airworthiness certificate or airworthiness approval requirement. This action is being undertaken to reflect the evolving nature of UAS usage and regulation.

Current Definition

The current definition of the term ‘unmanned aircraft accident’ is found at 49 CFR 830.2. It includes in that definition a requirement that the occurrence defining the accident includes either of the two following characteristics:

• Any person suffers death or serious injury; or

• The aircraft has a maximum gross takeoff weight of 300 pounds or greater and sustains substantial damage.

Proposed Change

In this rulemaking, the NTSB is proposing to replace the second characteristic with the phrase: ““holds an airworthiness certificate or approval”. The Preamble to the NPRM notes that:

“While this definition ensured that the NTSB expended resources on UAS events involving the most significant risk to public safety, the advent of higher capability UAS applications—such as commercial drone delivery flights operating in a higher risk environment (e.g., populated areas, beyond line-of-sight operations, etc.)—has prompted the agency to propose an updated definition of “unmanned aircraft accident.”

This change will “will treat a UAS with airworthiness certification or airworthiness approval in the same manner as a manned aircraft with airworthiness certification or airworthiness approval, thereby enabling the NTSB to immediately investigate, influence corrective actions, and propose safety recommendations.”

Public Comments

The NTSB is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NTSB-2021-0004). Comments should be submitted by July 20^th, 2021.

Bills Introduced – 5-20-21

Yesterday, with both the House and Senate in session, there were 177 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 3386 To promote the use of smart technologies and systems in communities, and for other purposes. Rep. DelBene, Suzan K. [D-WA-1]

HR 3388 To amend title 18, United States Code, to increase penalties for certain computer fraud and related offenses that involve critical infrastructure, and for other purposes. Rep. Fallon, Pat [R-TX-4]

I will be watching both bills for language and definitions that would specifically include industrial control systems in their coverage.

1 Update Published – 5-20-21

Today CISA’s NCCIC-ICS published an update for a control system security advisory for products from multiple RTOS vendors.

 

Multiple RTOS Update

 

This update provides new information for an advisory that was originally published on April 29^th, 2021 and most recently updated on May 6^th, 2021. The new information includes:

• Removing Micrium uCOS II/uCOS III from the list of affected products,

• Adding Micrium uC/OS: uC/LIB to the list of affected products,

• Removed CVE-2021-27407 from the list of vulnerabilities (it has also apparently been removed from the National Vulnerability Database),

• Removing update information for Micrium uCOS II/uCOS III, and

• Adding update information for Micrium uC/LIB

NOTE: The advisory mistakenly refers back to the original version (4-29-21), not the last update. 

S 1260 Debate Continues – Endless Frontiers Act – 5-19-21

Yesterday the Senate continued their debate on S 1260, the Endless Frontiers Act. As I noted yesterday, the substitute language being considered for this bill includes a number of new cybersecurity provisions. There were votes on two amendments yesterday, neither of particular interest. There were 180 new amendments submitted, including one UAS protection amendment and four cybersecurity amendments. Debate was expected to continue today.

The UAS amendment was SA 1680, Sen Lee (R,UT) - Strike section 4411 and insert the following:

SEC. 4411. Authority to enter into contracts to protect facilities from unmanned aircraft. Pg 3167

The cybersecurity amendments were:

• SA 1534, Sen Barrasso (R,WY) - At the end of subtitle C of title I of division C, add the following:

SEC. 3124. Prohibition on importation of power inverters from countries from which cyberattacks on United States critical energy infrastructure originate. Pg S2793

• SA 1552, Sen Risch (R,ID) -  At the appropriate place, insert the following:

SEC. XXX. Strengthening and enhancing cybersecurity usage to reach small businesses. Pg S2800

• SA 1581, Sen Manchin (D,WV) - Strike section 4252(a) and insert the following:

(a) IN GENERAL.—Title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by adding at the end the following:

Subtitle C—Declaration of a Significant Incident. PG S3111

• SA 1614, Sen Scott (R,FL) - At the appropriate place in title III of division F, insert the following:

SEC. 63XX. Securing the bulk-power system. Pg S3135

Two amendments, SA 1523 and SA 1518, were scheduled for votes today. Neither of these amendments address issues that I cover in this blog.

HR 3243 Introduced - Pipeline Security Act

Last week Rep Cleaver (D,MO) introduced HR 3243, the Pipeline Security Act. The bill would amend 49 USC 114, specifically charging the Transportation Security Administration with responsibility for pipeline cybersecurity. Additionally, the bill would require the establishment, and outline the responsibilities, of a pipeline security section within TSA.

The Homeland Security Committee considered the bill earlier this week in a markup hearing. After considering and adopting three separate amendments, the bill was ordered reported and favorably recommended to the full House. One of the amendments would raise the status of the TSA pipeline cybersecurity program by changing the ‘section’ to a ‘pipeline security division’.

Moving Forward

The unanimous consent adoption for this bill in Committee would indicate that the bill has strong bipartisan support. That would normally mean that it should move easily to the floor of the House, probably under the suspension of the rules process. Unfortunately, bipartisan support is not all that a bill needs to move forward. In this case there are at least three other committees (the Science, Space, and Technology Committee, the Energy and Commerce Committee, and the Transportation and Infrastructure Committee) that think that they should have oversight responsibilities for cybersecurity in pipelines.

The language in this bill would specifically cut them out of the oversight process. That is why the §1631 language was shoehorned into 6 USC Title XVI (the CISA title) instead of in 49 USC where the TSA §114 is. That means that two Committee Chairs and a number of influential congresscritters are going to work hard to stop this bill from moving forward. This chair infighting has delayed a large number of homeland security related initiatives over the years, chemical facility security being a prime example. At this point I do not see the House leadership moving this bill forward.

For a more detailed review of the contents of the bill and the amendments adopted in Committee, see my post (subscription required) on ‘CFSN Detailed Analysis’ on Substack.com.

CFATS and NTAS – 5-18-21

The CISA Office for Chemical Security published a ‘Latest News’ notice on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center about the relationship between last week’s publication of a new National Terrorism Alert System (NTAS) bulletin.

The bottom line of the short message is found in the last two sentences:

“As of May 17, 2021, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 and 14 of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.”

Heightened Security Measures

RBPS 13 addresses ‘Security Measures and Considerations for Elevated Threats’. The Risk Based Performance Standards guidance document section on RBPS 13 specifically addresses the various levels in the old, color-coded alert system that DHS adopted shortly after it was created. That system was replaced in 2011, but the guidance document has not been updated since it was first published in May of 2009. It lists the types of security measures that should be considered for the various threat levels in the old system and facilities are expected to have planned measures that can easily be put into place for the higher threat levels.

But the new NTAS Bulletins, first initiated in 2015, do not fit into that Elevated Threats scenario because there is no actionable information provide in Bulletins that can guide facilities to respond with increased security measures.

RBPS 14 addresses ‘Specific Threats, Vulnerabilities, or Risks’. This standard comes into play when a facility is specifically notified of a threat targeted at that facility. Again, there is no actionable information about any specific threats that could require a facility to implement new security measures.

In other words, the information provided in this ‘Latest News’ item should come as no surprise to anyone responsible for security at CFATS covered facility. But it is reasonable to assume that if news of a specific threat does become available, communication with specific potentially affected facilities may first be initiated by direct communication from OCS to specific facilities, probably through chemical security inspectors, before public communications are made.

Senate Begins Debate on S 1260 – Endless Frontier Act

Yesterday the Senate began considering S 1260, the Endless Frontier Act. As is typical for such bills, the Senate has scrapped both the introduced and reported language for the bill, and is instead considering substitute language (Schumer Amendment, SA 1501) offered by Sen Grassley (R,IA). While the original bill did not have any significant cybersecurity language, the substitute language adds a number of cybersecurity provisions.

New Cybersecurity Provisions

Looking at the table of contents of SA 1501, these are the new cybersecurity provisions:

DIVISION B - ENDLESS FRONTIER ACT

TITLE II - NSF Research, Stem, and Geographic Diversity Initiatives

Sec. 2305. Protecting research from cyber theft

TITLE VI - SPACE MATTERS

PART VIII - Miscellaneous Provisions

Sec. 2676. Cybersecurity.

DIVISION D - Homeland Security and Governmental Affairs Committee Provisions

TITLE II—Cyber and Artificial Intelligence

Subtitle B—Cyber Response and Recovery

Sec. 4251. Short title.

Sec. 4252. Declaration of a significant incident

TITTLE III – Personnel

Subtitle B—Federal Rotational Cyber Workforce Program

Sec. 4351. Short title.

Sec. 4352. Definitions.

Sec. 4353. Rotational cyber workforce positions.

Sec. 4354. Rotational cyber workforce program.

Sec. 4355. Reporting by GAO.

Sec. 4356. Sunset.

Sections 4251 and 4252 are probably derived from S 1316, the Cyber Response and Recovery Act. Sections 4351 thru 4356 are probably derived from S 1097.

Other Amendments

There were 23 amendments submitted yesterday for S 1260. In addition to SA 1501 there was an additional cybersecurity amendment, SA 1516 (pg S2741). That amendment would add a section to the bill addressing “United States-Israel Cybersecurity Cooperation”. There is currently no indication if that amendment will be considered on the floor of the Senate.

Bills Introduced – 5-18-21

Yesterday with both the House and Senate in session, there were 74 bills introduced. One of those may receive additional coverage in this blog:

HR 3313 To require the Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of internet-facing information technology of the Department of State, and for other purposes. Rep. Lieu, Ted [D-CA-33] 

I will be watching this bill for language and definitions that include building control systems and security systems in the coverage of the VDP. I am not going to hold my breath though.

HR 3138 Introduced - State and Local Cybersecurity Improvement Act

Last week Rep Clarke (D,NY) introduced HR 3138, the State and Local Cybersecurity Improvement Act. The bill amends the Homeland Security Act by adding a new §2220A, State and Local Cybersecurity Grant Program. It would require DHS to establish the “State and Local Cybersecurity Grant Program” to be administered by FEMA. The bill would authorize $500 million per year through 2026 for the grant program.

For detailed analysis of this bill see my post (subscription required) at https://patrickcoyle.substack.com/p/hr-3138-introduced

1 Advisory and 5 Updates Published – 5-18-21

Today CISA’s NCCIC-ICS published one control system security advisory for products from Emerson. They also updated five advisories for products from Mitsubishi. 

Emerson Advisory

This advisory describes six vulnerabilities in the Emerson Rosemount X-STREAM Gas Analyzer. The vulnerabilities are self-reported. Emerson has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker can remotely exploit these vulnerabilities to allow an attacker to obtain sensitive information, modify configuration, or affect the availability of the device.

Multiple Products Update

This update provides additional information on an advisory that was originally published on September 1^st, 2020 and most recently updated January 26^th, 2021. The new information includes updating affected versions and providing mitigation measures for:

• RJ71EN71,

• QJ71E71-100,

• LJ71E71-100,

• QJ71MT91,

• NZ2GACP620-60,

• NZ2GACP620-300, and

• GT25-J71GN13-T2

MELSEC iQ-R Series Update #1

This update provides additional information on an advisory that was originally reported on October 8^th, 2020 and most recently updated on February 18^th, 2021. The new information includes:

• Adding R08/16/32/120PSFCPU to the list of affected products, and

• Updating affected version numbers and adding mitigation measures for R16/32/64MTCPU.

MELSEC iQ-R, Q and L Series Update

This update provides additional information on an advisory that was originally published on October 29^th, 2020. The new information includes:

• Deleting R 08/16/32/120 PSFCPU from the list of affected products, and

• Updating affected version numbers and adding mitigation measures for R 08/16/32/120 PCPU.

MELSEC iQ-R Series Update #2

This update provides additional information on an advisory that was originally published on November 19^th, 2020. The new information includes updating affected version information and adding mitigation measures for:

• R08/16/32/120 PCPU, and

• R08/16/32/120PSFCPU

MELFA Update

This update provides additional information on an advisory that was originally published on January 21^st, 2021. The new information includes:

• Modifying the description of “Countermeasures”, and

  • Adding the IP filter function to “Mitigations”. 

HR 3223 Introduced - CISA Cyber Exercise Act

Last week Rep Slotkin (D,MI) introduced HR 3223, the CISA Cyber Exercise Act. The bill would establish in CISA the National Cyber Exercise Program. It also takes care of some administrative changes to the section numbering in Subtitle A of title XXII of the Homeland Security Act of 2002.

Cyber Exercise Program

Section 2(a) of the bill amends the Homeland Security Act of 2002 by adding a new §2220A, National Cyber Exercise Program. It establishes in CISA the National Cyber Exercise Program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. The program will be {new §2220A(a)(2)(A)}:

• Based on current risk assessments, including credible threats, vul­ner­a­bil­i­ties, and consequences,

• Designed, to the extent practicable, to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident,

• Designed to provide for the systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements, and

• Designed to promptly develop after-action reports and plans that can quickly incorporate lessons learned into future operations.

The Exercise Program will include a selection of model exercises that State, local, and Tribal governments, as well as private sector entities, could use in the design, implementation, and evaluation of exercises that {new §2220A(a)(2)(B)(ii)}:

• Conform to the requirements described above,

• Are consistent with any applicable national, State, local, or Tribal strategy or plan, and

• Provide for systematic evaluation of readiness.

HSA Cleanup

Congress writes many of their homeland security bills as amendments to the Homeland Security Act of 2002. The piecemeal nature of these amendments frequently results in section numbering issues that have to be created. The current version of the HSA has a series of these issues in Subtitle A,Cybersecurity and Infrastructure Security, of Title XXII. The table of contents shows:

Sec. 2214. National Asset Database.

Sec. 2215. Sector Risk Management Agencies.

Sec. 2215. Cybersecurity State Coordinator.

Sec. 2215. Joint cyber planning office.

Sec. 2215. Duties and authorities relating to.gov internet domain.

Sec. 2216. Cybersecurity Advisory Committee.

Sec. 2217. Cybersecurity Education and Training Programs.

Section 2(b) of the bill corrects this multiple §2215 situation so that the revised table of contents will read:

Sec. 2214. National Asset Database.

Sec. 2215. Duties and authorities relating to .gov internet domain.

Sec. 2216. Joint cyber planning office.

Sec. 2217. Cybersecurity State Coordinator.

Sec. 2218. Sector Risk Management Agencies.

Sec. 2219. Cybersecurity Advisory Committee.

Sec. 2220. Cybersecurity Education and Training Programs.

Sec. 2220A. National Cyber Exercise Program.

Moving Forward

As I mentioned earlier, this bill will be marked up this afternoon by the House Homeland Security Committee. I expect that the bill will receive substantial bipartisan support. I then expect it to be considered by the full House under the suspension of the rules process.

Commentary

CISA, and it’s predecessor agency, have already been holding a series of national cybersecurity exercises, so this bill is not really starting something new with the National Cyber Exercise Program. I am not sure if CISA has had a formal program for being able to share exercise models with State, local and Tribal governments so this may be an addition to the existing program.

It would be nice if CISA were able to stand up something like the TSA’s Exercise Information System to aid in the development of industry and local government cybersecurity exercises. Unfortunately, this bill does not go quite that far, and it does not provide for any funding that would allow for that type of expansion.

Update on Cybersecurity Markup – 5-18-21

The House Homeland Security web site now has complete listings for the seven bills that it will be marking up this afternoon. Four of the bills are cybersecurity bills and a fifth deals with critical infrastructure. I have not yet had a chance to publish detailed reviews of each of these bills, so I am going to do a quick review of those that I have not reviewed.

The five bills of interest are:

• HR 2980, the “Cybersecurity Vulnerability Remediation Act”

• HR 3138, the “State and Local Cybersecurity Improvement Act”

• HR 3223, the “CISA Cyber Exercise Act”

• HR 3243, the “Pipeline Security Act”

• HR 3264, the “Domains Critical to Homeland Security Act”

HR 3138

This bill is similar to HR 5823 from last session. It would establish a grant program, the State and Local Cybersecurity Grant Program, with $500 million being authorized each year for the program through 2026. Each grant applicant would have to submit a cybersecurity plan to DHS for approval. Each applicant would also have to establish a cybersecurity planning committee. Multi-state grants would be authorized.

CISA would be required to establish a State and Local Cybersecurity Resiliency Committee. CISA would also be required to prepare and maintain a resource guide to help officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Definition of ‘information system’ in this bill uses the ICS inclusive definition from 6 USC 1501.

HR 3223

This bill would amend the Homeland Security Act or 2002 by adding a new section 2220A, National Cyber Exercise Program. It would require CISA to establish a National Cyber Exercise Program  to evaluate the National Cyber Incident Response Plan. No additional funding authorization is provided. CISA is already conducting similar cybersecurity exercises.

HR 3243

This bill (Committee Print) would amend 49 USC 114, Transportation Security Administration, mandating that TSA continue being responsible for securing pipeline transportation and pipeline facilities against cybersecurity threats {new §114(f)(16)}.

It would also add a new section 1631, Pipeline Security Section, to a new Subtitle D, Pipeline Security, to the Homeland Security Act of 2002. It would require TSA to establish a pipeline security section to implement the responsibilities of §114(F)(16) {§1631(a)}. The new section would include personnel with cybersecurity expertise {§1631(c)}.

HR 3264

This bill (Committee Print) would add a new section 890B, Homeland Security Critical Domain Re6 Search And Development, to the Homeland Security Act of 2002. It defines two new terms {§890B(c)}: ‘United States critical domains for economic security’ (NOT related to  the cyber term ‘domains’) and ‘economic security’. Section 890B(a) would authorize research and development to identify and evaluate United States critical domains for economic security and homeland security. The bill authorizes $1 million for this program.